Skip to content

fix: skip CSRF protection for feedback form submission#2641

Merged
mroderick merged 1 commit into
masterfrom
feature/skip-csrf-for-feedback-form
Jun 11, 2026
Merged

fix: skip CSRF protection for feedback form submission#2641
mroderick merged 1 commit into
masterfrom
feature/skip-csrf-for-feedback-form

Conversation

@mroderick

@mroderick mroderick commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Problem

We are seeing ActionController::InvalidAuthenticityToken errors when students try to submit feedback. This has occurred 82 times in production (Rollbar #535).

The root cause is that the feedback form requires a session cookie for CSRF protection, but browsers like Safari withhold the session cookie when they classify the request as cross-site. This happens when:

  • The user navigates to the feedback link from a third-party app (Mail, Slack, etc.)
  • Safari Intelligent Tracking Prevention (ITP) is active
  • The browser sets Sec-Fetch-Site: cross-site

Why the fix is safe

The feedback form already has its own security mechanism: a unique, unguessable secret token in the URL (e.g. /feedback/QecUjt60K2J94mBc169Myw/submit). The FeedbackRequest is looked up by this token. An attacker would need to know the token to submit the form, which is exactly the same bar as CSRF protection.

This is the standard "one-time secret link" pattern — the token itself is sufficient to prevent CSRF.

Changes

  • skip_forgery_protection only: :submit in FeedbackController
  • New controller specs covering:
    • Showing the feedback form with valid/invalid tokens
    • Submitting feedback with valid data
    • Submitting feedback with invalid data (renders form with errors)
    • Submitting feedback without a session cookie / CSRF token (the regression test)

Rollbar issue

https://app.rollbar.com/a/codebar-production/fix/item/codebar-production/535#detail

@mroderick
fix: skip CSRF protection for feedback form submission
208e932 
The feedback form uses a unique secret token in the URL to authenticate
the request. This is sufficient protection against CSRF — an attacker
would need to know the token to submit the form.

However, protect_from_forgery requires a session cookie, which browsers
like Safari withhold when they classify the request as cross-site (e.g.
when a user navigates from a third-party app or Intelligent Tracking
Prevention is active). This causes the form submission to fail with
ActionController::InvalidAuthenticityToken even for legitimate users.

This has caused 82 occurrences in production (Rollbar #535).

Changes:
- Skip CSRF protection on FeedbackController#submit
- Add controller specs covering show, submit, and the CSRF-exempt path

Fixes: https://app.rollbar.com/a/codebar-production/fix/item/codebar-production/535#detail
@mroderick mroderick marked this pull request as ready for review June 11, 2026 08:24
olleolleolle
olleolleolle approved these changes Jun 11, 2026
View reviewed changes

@olleolleolle olleolleolle left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for giving good context to the fix!

@mroderick mroderick merged commit 124e044 into master Jun 11, 2026
16 checks passed
@mroderick mroderick deleted the feature/skip-csrf-for-feedback-form branch June 11, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olleolleolle olleolleolle olleolleolle approved these changes

@till till Awaiting requested review from till

@KimberleyCook KimberleyCook Awaiting requested review from KimberleyCook

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mroderick @olleolleolle